Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit gutenkit-blocks-addon allows Stored XSS.This issue affects GutenKit: from n/a through <= 2.2.2.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic cross‑site scripting flaw that occurs when the GutenKit plugin fails to properly escape user‑supplied input before rendering it in web pages. This flaw falls under CWE‑79 and enables an attacker to store malicious script code that is then served to any visitor of the compromised website. If exploited, the attacker could hijack user sessions, perform phishing attacks, or deface the site, thereby breaching the confidentiality, integrity, and availability of the web environment.

Affected Systems

This issue affects the GutenKit Block Addon developed by Ataur R. The vulnerability applies to all releases through version 2.2.2; earlier or newer releases are presumed mitigated. No specific sub‑versions are listed beyond the upper bound of 2.2.2.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not yet listed as a known exploited vulnerability in the KEV catalog. The likely attack vector is through the plugin’s web interface where an authenticated user can inject content; the malicious script is stored and later executed when any site visitor loads the page. Successful exploitation would allow an attacker to run arbitrary client‑side code in the context of site visitors or administrators, potentially leading to credential theft or further damage.

Generated by OpenCVE AI on May 1, 2026 at 09:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GutenKit Block Addon to any version newer than 2.2.2, which removes the improper input handling flaw.
  • Disable or uninstall the GutenKit plugin if an immediate upgrade cannot be performed, thereby halting the vector for malicious scripts.
  • Verify that content submitted through GutenKit is no longer retained in stored form and that no reflective or stored scripts appear when the page is viewed by visitors.
  • Monitor site activity for unexpected JavaScript inserts and review logs for any unusual input patterns that might indicate attempted exploitation.

Generated by OpenCVE AI on May 1, 2026 at 09:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12303 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit gutenkit-blocks-addon allows Stored XSS.This issue affects GutenKit: from n/a through <= 2.2.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 30 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpmet
Wpmet gutenkit
CPEs cpe:2.3:a:wpmet:gutenkit:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmet
Wpmet gutenkit

Tue, 22 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS. This issue affects GutenKit: from n/a through 2.2.2.
Title WordPress GutenKit plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpmet Gutenkit
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.097Z

Reserved: 2025-04-22T09:21:43.075Z

Link: CVE-2025-46253

cve-icon Vulnrichment

Updated: 2025-04-22T13:34:23.848Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:20.133

Modified: 2026-04-23T15:29:57.647

Link: CVE-2025-46253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses